iPhone, iPad Users Are Open to iOS File Sharing Risks: Researcher

A Trustwave researcher finds some serious flaws in Apple iOS apps that could be opening up users to exploitation.

File sharing apps for Apple iOS mobile devices can potentially represent a security risk to users, according to a Trustwave security researcher.
Bruno Goncalves de Oliveira, senior security consultant at Trustwave, explained to eWEEK that he conducted research into a number of Apple iOS file sharing apps that are commonly used by Apple iPhone and iPad users as an easy way to share pictures, documents and other types of content.
With a file sharing app, the user is essentially opening up the iOS device to accept inbound connections from other users, enabling access to content. The problem, according to Oliveria, is that many of the file sharing apps include a Web server component, which typically is not properly secured.
"So the user starts the file sharing application, which then starts a Web server on the device," Oliveira said. "Anyone can then upload and share files."

Oliveira added that the apps he surveyed lacked basic security features such as encryption and user authentication, which either were not present at all or not enabled by default. All modern Web transactions can and should be secured by Secure Sockets Layer (SSL) encryption, which is what the mobile file sharing apps that Oliveira analyzed were missing.

Going a step further, many of the surveyed apps did not require any form of user authentication by default. As such, anyone who can find the device on the network can get access to the file sharing app.
Finding potentially vulnerable iOS devices on a network that are running file sharing apps isn't a hard task either. Oliveira said the mDNS (Multicast DNS) that is used by iOS devices broadcasts what ports are open on a device. There are mDNS browser apps available for iOS that can be used by anyone to easily see all devices on a network that have open ports that are likely to be running a file sharing Web server.
Adding additional insult to injury, Oliveira's research showed the potential for data leakage beyond what the file sharing apps were publicly sharing. Apple uses a robust sandboxing approach for iOS that is supposed to limit an app's ability to perform actions outside of its restricted area. Depending on the version of iOS, Oliveira had different results when trying to get access to the filesystem. Apple recently updated iOS to Version 7.
"With iOS 6, I was able to access a lot of different types of system files, even if the device was not jailbroken," Oliveira said. "However, with iOS 7, Apple has now implemented another security layer and you can only access the given application's folder."
The root cause for the insecurity in the iOS file sharing apps doesn't rest with Apple, according to Oliveria, but rather with the software developers who built the apps. Beyond the lack of proper encryption by default in the file sharing apps, Oliveria also specifically identified a number of path traversal flaws that enable attackers to get access to files outside of the core Web root folder in a number of mobile apps. One of the flaws publicly disclosed by Oliveira impacts the FTP Drive iOS file sharing app, which has not yet been patched.
"The application FTP Drive is vulnerable to file path traversal attacks allowing non-authenticated attackers to gain access to arbitrary system files on the device, utilizing a simple bypass, %2f instead of (/) using URL encoding," Oliveira wrote in a public advisory.
Oliveira found and reported a similar flaw in the Easy File Manager iOS app, which also has yet to be patched.
There are a few things that Oliveira suggests users do to protect themselves from iOS file sharing app risks. He recommends that users avoid downloading apps from unknown manufacturers. For enterprises, Oliveira recommends the use of proper mobile device management (MDM) technologies that can limit the risks of data leakage.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.